GPO not applying to an OU

We have a batch file (logon.bat) that maps drives whenever a user logs on.

This script is applied by Group Policy to the entire domain.

Initially, this worked perfectly, as we always wanted this script to be applied. However, now we have PCs at a remote site accessing the domain via a VPN link. These PCs can take as long as 5 minutes to log on due to the combination of the drive mapping script and the slow VPN link. I experimented by removing "logon.bat" from the "Default Domain Policy" GPO, and users at the remote site could log on a few minutes faster. This is perfect- I can manually map drives at the remote site for the small number of users who need network access there.

What I then tried to do, was to create two OUs: "Main office" (where we want to continue to use the drive mapping script), and "Off-site" (for the remote site, and also laptops which are domain-joined).

The only problem is that, when I remove the reference to "logon.bat" from the "Default Domain Policy" GPO, and add it to the "Map drives at logon" GPO applied to "Main office", it no longer gets applied to the main office. I can't selectively apply drive mapping only to users at the main site.

We can't keep using an all-or-nothing approach to this logon script any more because of the performance impact it has to users working remotely.

Does anyone have any idea why the drive mapping stops working when I try to get a different GPO to handle it?

Thanks. I'm a little surprised that user settings are only applied if you assign a GPO to a user (and likewise computer settings for a GPO assigned to computer). I had assumed that both user and computer settings would be applied to whatever user or computer the GPO was assigned to. Looks like I was completely wrong about that. So doing what I was planning (applying a user policy only to certain computers) won't be as straightforward as I thought.

It is still fairly straightfoward. Either modify the existing policy to enable loopback mode processing (computer configuration/Admin Templates/System/GroupPolicy/Loopback Policy - enable the setting and for you, probably set it to merge) or create a new policy with this setting and have the new policy applied before your drive mapping policy.

Thanks. I found this video does a brilliant job of explaining Group Policy Loopback Processing to anyone using it for the first time: youtube.com/watch?v=2bZGMtOCXN0

I would love to setup another server, but it's a non-profit organization with a tight budget, and I don't think they could justify the expense... especially considering this already works very well (apart from the delayed logon). I am excited to test out GP loopback processing tonight (probably going for "merge" rather than "replace") as this looks like it could solve the last problem they have with this configuration.

So, conversely, if I have a GPO with computer policies applied to a user OU, the computer policies will not be applied either?

If you had a GPO applied to a computer OU, and simply set loopback processing to "replace" mode (but didn't actually define any user settings in that GPO so it didn't actually conflict with any user settings), would it still prevent all user settings (defined by other GPOs and applied to users logging on to this computer) from being applied?

If you set the policy mode to "replace", it will drop user policy settings that have been applied in a different OU with any user policy settings defined in policy objects applied in the current OU after the loopback policy is applied. Meaning, if you have a second policy object in the computer OU with user settings that is applied after the policy that enables the loopback policy in replace mode, those settings will still be applied. However, any policy settings from a user OU will not be applied.

I have just tried Group Policy loopback processing. For some reason, the policy initially wouldn't process drive mapping using the "merge" option (not sure why). Then I set the loopback processing to "replace", and drives started mapping properly when users logged in. After that, it continued to work even after I changed it back to "merge" again. I'm not sure why "merge" didn't work right away (as it should have). Does anyone have any ideas how that could have happened? Other than that, it's all working perfectly now. Thanks everyone.

@Austin Correct. If a policy has both elements it needs to be applied to where object type exists. The only exception is loopback processing as Rex mentions.

Good to know. Most of our GPOs so far have been applied at the domain level, so we never had to consider that before. Thanks for clarifying.